Did I misspeak?  My server I am looking at running this on has a single 
interface, with 3 addresses;
   An ipv4
   A link-local ipv6
   A routable ipv6

The clients have just the two IPv6 addresses, no IPv4 address (other than 
127.0.0.1). 

I agree that in an IPv6 capable service, the $interface is less meaningful, and 
single ip or an "any IPv6"/"any IPv4" is far simpler. 

I am not currently using iptables, rather am relying on an absolute minimum of 
services and tcpwrappers.  Yes iptables is a recommended solution for a 
multi-interface system (say bridging a firewall), but it adds 
management/debugging complexity in many of the easy cases.    I like to think 
my setup is an easy case. 

If I were in a more bandwidth limited environment, but with our current tight 
security, I would likely be requesting tcpwrappers in the IPv4 world as well. 
But with cheap bandwidth, it is easier for me to hammer the mirrors than cache 
files locally for a fairly small number of servers. 

I guess I view iptables and tcpwrappers as running at different levels, but 
having overlapping roles. Iptables is configured without the process being 
aware of it. Tcpwappers has to be compiled in, but doesn't cost much if not 
used. 

I unfortunately am not in a good position to do much testing, as we haven't 
deployed much in IPv6 yet.  I will do what I can though.  
      Warren




-----Original Message-----
From: Eric Cooper <[EMAIL PROTECTED]>
To: Overholt, Warren
CC: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Sent: Tue Mar 04 22:06:37 2008
Subject: Re: Bug#468058: approx: No visible support of IPv6

On Tue, Mar 04, 2008 at 09:05:01PM -0500, Overholt, Warren wrote:
> Listening on all IPv6 addresses would be acceptable to me, if I can
> limit
> access to certain IPs (say with tcpwrappers).  Both postfix and ssh
> appear
> to allow binding to a specific IPv6 address, but they lead on the 
> security curve.  On the other hand bind9 seems to only allow IPv6 
> listening to be enabled or disabled, not by port/IP (although it does 
> have internal acls).
> 
>       The somewhat vague answer is to request that the clients
> connecting
> can be limited appropriately.  I am using tcpwrappers for security on
> other services in IPv6.  Limiting to the local-link address would also
> work in my configuration.  IPv6 firewalls are not as developed/tested as
> IPv4 firewalls, so I do not trust them to provide as much security for
> now.

In my experimental version, I have made approx first try to listen on an
IPv6 socket if supported, otherwise fall back to IPv4.  It seems to
work, but I don't have much of an IPv6 testbed here.  If you're able
to test it more thoroughly, please let me know.

It no longer supports the $interface parameter, since
it's not clear what address that should mean, and I don't want to add
a lot of configuration machinery to specify multiple addresses.

So tcpwrappers would be one possibility, but it seems vulnerable to
source IP address spoofing. I think it would be better to use iptables
rules for servers with multiple interfaces.  Would that work in your
environment?

-- 
Eric Cooper             e c c @ c m u . e d u

Reply via email to